Base Jumping Attacking the GSM baseband and base station
[email protected]
Overview GSM ❖Base Station ❖ Base Band ❖ Conclusion ❖
2
GSM: The Protocol
3
Documents Dozens of docs ❖ Thousands of pages ❖ Important one (defines L3) ❖
❖
GSM 04 08
4
5
6
Logical Channels Broadcast Channels ( BCH ) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH)
7
Logical Channels, cont. ❖
Common Control Channels ( CCCH ) Paging Channel (PCH) Random Access Channel (RACH) Access Grant Channel ( AGCH)
8
Logical Channels, cont. Standalone Dedicated Control Channel ( SDCCH ) Associated Control Channel ( ACCH) Fast Associated Control Channel (FACCH) Slow Associated Control Channel (SACCH)
9
GSM Channels ❖
Opening a channel is slow ❖
❖
Can take seconds
Specific channels for specific uses
10
Opening a channel
11
12
RACH
12
RACH
AGCH
12
RACH
AGCH
LCH
12
13
PCH
13
PCH
RACH
13
PCH
RACH
AGCH
13
PCH
RACH
AGCH
LCH
13
ARFCN
MSC BSC
MS BTS
BTS
14
Mobile Station MS
Mobile Station Controller
Base Station Controller
Base Transceiver Station
MSC
BSC
BTS
Base Station Sub-System BSS 15
VLR
HLR
MSC BSS
MS
16
Mobile Identifiers
17
18
IMSI
18
IMSI
IMEI
18
IMSI
IMEI
18
IMSI
IMEI
18
IMSI
IMEI
18
IMSI
IMEI
18
IMSI
IMEI
18
GSM Attacks
19
20
RACHell Request channel allocation ❖ Flood the BSS with requests ❖ First announced by Dieter Spaar at DeepSec ❖ Prevent everyone from using that cell ❖
21
RACHell
22
RACHell
22
RACHell
22
RACHell
22
RACHell
22
RACHell
22
RACHell
? 22
23
Our Target
23
Demo - RACHell
24
IMSI Flood Send IMSI ATTACH messages ❖ pre-authentication ❖ Overload the HLR/VLR infrastructure ❖ Prevent everyone using the network ❖
25
IMSI Flood
26
IMSI Flood
26
IMSI Flood
26
IMSI Flood
26
IMSI Flood
26
IMSI Flood
26
IMSI Flood
26
IMSI DETACH ❖
Send multiple Location Update Requests including a spoofed IMSI ❖
Unauthenticated
Prevent SIM from receiving calls and SMS ❖ Discovered by Sylvain Munaut ❖
27
IMSI DETACH
28
IMSI DETACH
28
IMSI DETACH
28
IMSI DETACH
28
IMSI DETACH
28
IMSI DETACH
28
IMSI DETACH
28
How hard to get an IMSI?
29
Baseband Fuzzing
30
How to make a smartphone
+
=
31
Two separate computers
32
Two separate computers
32
Baseband Controls the radio ❖ Separate CPU and code base ❖ RTOS ❖ Written in C ❖ Typically legacy code base (decades) ❖
33
GSM Frame Delivery ❖
OpenBTS + XML-RPC lch_open(char * IMSI) ❖ lch_send(int fd, char *buf, size_t len) ❖ lch_recv(int fd, char *buf, size_t len) ❖ lch_close(int fd) ❖
34
GSM Fuzzing Framework USRP + OpenBTS for delivery ❖ GSM900 band ❖ BugMine case generation & mutation ❖ No Instrumentation ❖
❖
Very bad visibility on bugs
35
Coseinc GSM FuzzFarm ❖
Targetting iPhone ❖ HTC (Android) ❖ Palm Pre ❖ Blackberry ❖ Nokia ❖
36
37
38
Conclusion
39
GSM Trouble GSM is no longer a walled garden ❖ GSM spec has security problems ❖ Expect many more issues as OSS reduces costs for entry ❖
40
Future work More GSM stack fuzzing ❖ Next gen protocol stacks ❖
41
Thanks to Harald Welte, Osmocom-bb & OpenBTS
42
